Pakistan Organisations Targeted By Massive Indian Cyber Operation

Pakistani bodies, including government organisations, are the main target, but UK, US and Chinese groups also targeted

A large, lengthy cyber attack allegedly carried out from within India has been uncovered, with most of the targets of the espionage operation based in Pakistan, where government bodies have been hit.

Investigations into the attack infrastructure were kicked off following a compromise of Norwegian telecoms giant Telenor in March. The campaign has been ongoing for over three years, and the targets appear to be global and diverse in nature.

Attackers used known vulnerabilities in Microsoft software, chucking malware dubbed HangOver onto target machines, most of which were based in Pakistan, where 511 infections associated with the campaign were detected. HangOver installs keyloggers, takes screenshots and records victims’ browser usage, before sending the pilfered data off to remote servers by FTP or HTTP.

China, Iran and the US were also key targets, along with some UK organisations.

Norman Shark, the Norwegian security company that researched the operation, said it appeared the London-based Eurasian Natural Resources Corporation (ENRC) was a likely target. ENRC had not responded to a request for comment at the time of publication.

Pakistan attacks

In the attacks on Pakistani organisations, spear phishing emails were sent out purporting to contain information on “ongoing conflicts in the region, regional culture and religious matters”, according to Norman.

Norman could not provide direct attribution to the attacks, but its report did note the following: “The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin.”

Snorre Fagerland, principal security researcher in the Malware Detection Team at Norman, told TechWeekEurope it appeared Pakistani government bodies had been attacked.

“We know pretty well at least one computer in a government body was infected with uploader malware for at least a few hours in 2012,” Fagerland told TechWeek. “We also have indications an embassy belonging to Pakistan has been connecting to the same infrastructure.”

There was another association with India in the repeated appearance of the word “Appin”. “There seems to be some connection with the Indian security company called Appin Security Group,” Norman wrote.

“By this, we are not implicating or suggesting inappropriate activity by Appin. Maybe someone has tried to hurt Appin by falsifying evidence to implicate them. Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations. Getting to the bottom of that is beyond our visibility.

Domains used by the attack infrastructure also used the name Appin. Again, this does not prove any involvement from Appin.

“Another example is the domain zerodayexploits.org. This domain has a history of resolving to a series of malicious IP addresses used for malware attacks (173.236.24.254, 8.22.200.44). This website which offers bounties for zero-day exploits, claims to be founded by ‘Appin Morpheus’ and powered by Appin,” the Norman report read.

Appin describes itself as the world’s fourth largest critical infrastructure security provider. It had not responded to requests for comment at the time of publication.

Another firm, Mantra Tech Ventures, was also alleged to be hosting a number of malicious sites run by the attackers, Norman said, although that may well have been a coincidence. Mantra had also not responded to a request for comment at the time of publication.

Activists were also targeted. The Khalistan movement, a secessionist group hoping to create a separate Sikh nation in the Punjab region, and the Nagaland movement, another group hoping for a sovereign homeland covering parts of India and Burma, were attacked.

The wide array of targets could mean the attackers are renting our their infrastructure. “It could mean they are doing things on contract,” Fagerland added.

Norman’s research expands on findings from ESET last week, which pointed to various attacks emanating from India on Pakistani groups.

UPDATE: Appin contacted TechWeekEurope to distance itself from any suggestion it was involved in the attacks. As our report noted, there was never any accusation Appin had done anything, only that their name had been mentioned in the attackers’ code.

The company sent an opinion letter from security expert Professor Solange Ghernaouti, in which she said there was no proof Appin was connected to the attacks, as this report had also noted.

“The chain of reasoning can appear attractive, but is subject by its very nature (dynamic addresses, obfuscated code, hidden and mobile website registrations) to a degree of uncertainty and multiple interpretations,” she said. “In any case, it does not constitute solid evidence or prove anything.”

Appin has now asked Norman to issue a retraction. “I cannot comment on Appin’s questions or statements on the report and all I can say is that I stand behind the results that are in the report that are on the website,” Fagerland added.

The network security paradigm is currently shifting toward a new reality as advanced hacking methods become more prevalent and harder to detect. An example of such a method is advanced evasion techniques (AETs). Although evasions have been documented extensively in the last 15 years, security vendors have systematically ignored the significance of evasions. Some vendors […]

The debate over advanced evasion techniques (AETs). To assess what IT security professionals understand about AETs and what measures have been put in place to stop them, McAfee commissioned Vanson Bourne in January 2014 to survey 800 CIOs and security managers from the US, UK, Germany, France, Australia, Brazil, and South Africa.

The need for robust network security is growing, but IT security teams, resources, and budgets are shrinking at many organizations. That doesn’t mean you have to scale down your growth or skimp on key IT security areas, but it does mean you need to optimize your resources, starting with your network firewall team. Resource optimization […]

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.